This condition applies when there is no discernible network incident activity and
no malicious code activity with a moderate or severe risk rating. Under these conditions,
only a routine security posture, designed to defeat normal network threats, is warranted.
Automated systems and alerting mechanisms should be used.
This condition applies when knowledge or the expectation of attack activity is present,
without specific events occurring or when malicious code reaches a moderate risk rating.
Under this condition, a careful examination of vulnerable and exposed systems is appropriate,
security applications should be updated with new signatures and/or rules as soon as
they become available and careful monitoring of logs is recommended. Changes to the
security infrastructure are not required.
This condition applies when an isolated threat to the computing infrastructure is
currently underway or when malicious code reaches a severe risk rating. Under this
condition, increased monitoring is necessary, security applications should be updated
with new signatures and/or rules as soon as they become available and redeployment
and reconfiguration of security systems is recommended. People should be able to maintain
this posture for a few weeks at a time, as threats come and go.
This condition applies when extreme global network incident activity is in progress.
Implementation of measures in this Threat Condition for more than a short period probably
will create hardship and affect the normal operations of network infrastructure.